There are a number of services and methods to mitigate the classic DDoS attacks. Despite we saw a spike in the size and number of DDoS attacks in the recent past (where “memcached” servers were used to launch terabit DDoS attacks), everything was pretty much under control, until now.

New DDoS method

Recently, a new technique for DDoS is discovered – the UPnP port masking. This method was first detailed last month by security researchers from Imperva. According to their reports, DDoS botnets are recently starting to use the UPnP protocol found on home routers for bouncing DDoS traffic off the router, but alter the source port of the traffic to a random number.

This method successfully evades the previous DDoS mitigation system. Older mitigation system relies on reading the information and because of the new technique, it’s not working anymore. Thus, DDoS botnets are able to successfully hit the target.

However, there’s a way to prevent such an incident by implementing newer DDoS mitigation system that rely on DPI (Deep Packet Inspection). Using this technique, the UPnP DDoS attacks are not able to hit the target. Unfortunately, the price and performance of the better DDoS protection system isn’t so friendly. The method works slower and really costly for users.

UPnP port masking spreads from DNS, NTP to SSDP

Back in May, Imperva researchers reported that they identified botnets that were executing DDoS attacks from NTP and DNS protocols, but disguised the traffic as coming from random ports instead of expected ports (port 53 for DNS and port 123 for NTP).

Recently, a report from Arbor Network confirmed seeing a similar DDoS attack that leveraged the UPnP protocol. However, this time, the method masked the SSDP-based DDoS data packets. It would be easy to defend against SSDP DDoS as identifying data coming from port 1900. As it was behind UPnP, it’s not easily detectable any more.

It’s clearly obvious that we’re going to see more of this attack in the near future as the technique starts to popularize itself among botnet groups. Security companies have to investigate and find out ways to prevent this type of DDoS attack and save the industry.

The post UPnP DDoS Attacks are becoming a Reality appeared first on Linux Windows and android Tutorials.

The Memcached servers are the biggest benefit on hackers’ end. These servers can dramatically increase the load of DDoS, which is why we’re seeing terabit DDoS. Memcached servers allow super-fast access to loads of data to apps from other external databases into the cache memory. Apps can read and use data faster from there, speeding up the performance. It’s heavily used in business models for providing more cutting-edge performance. However, the same thing hackers are using to lauch the terabit attacks.

Why use DDoS

DDoS (Distributed Denial of Service) is one of the oldest-fashioned yet effective method of making an online service unavailable to others. This is a not DIRECT hack. Instead, it disables the feature for quite a time.

DDoS was a serious threat in the previous generation of internet. Nowadays, the tricks to trigger a DDoS attack and other requirements are quite easy to acquire. In many cases, newbie hackers try to have some fun with it. So, why it’s widely used today? It’s mainly important to note the industrial usage. For example, if Google was down for about 5 minutes, that would mean serious issue to the business. This attack can also be to redirect focus from an event to another, often to anonymize the real hacking.

The mitigation

This technique is quite interesting. One of the developers of Memcached servers, Dormando, proposed the workaround. According to his tweet,

For what it’s worth, if you’re getting attacked by memcached’s, it’s pretty easy to disable them since the source won’t be spoofed. They may accept “shutdown\r\n”, but also running “flush_all\r\n” in a loop will prevent amplification.

— dormando (@dormando) February 27, 2018

Unfortunately, the proposal didn’t get much attention in the first place. Corero, a network protection service, recently reported that they integrated the trick into their system and found “100% effective” in any live DDoS attack. The Corero experts also said that they didn’t notice any type of collateral damage of this technique.

Update “Memcached” servers

The main reason why Memcached servers are widely used in the recent attacks is that Memcached servers are widely used and left accessible online. The servers available for public access on port 11211. This enabled the present occurrences.

Now, an update of Memcached server software is available. The latest version (currently) is v1.5.6. The Memcached team patched the system from the vulnerability. This version disables UDP protocol (by default). The user has to manually turn it on while deploying the server. If you’re an owner of Memcached server, get the latest Memcached.

Number of open “Memcached” decreased

After the occurrence of the major DDoS attacks, security researchers and cloud service providers started taking necessary steps to protect the web from the disaster.

Although there were 107,431 Memcached servers in Shodan this morning. The population Memcached is slowly but steadily shrinking. Servers which where vulnerable this morning are now closed 8 hours later. We still have a long way to go but progress is being made. ? pic.twitter.com/nqAFt4BAmG

— Victor Gevers (@0xDUDE) March 7, 2018

According to this tweet, the number dropped down a lot.

Moreover, system admins also took actions to protect their servers from such misuse.

Last week there were 93,000 Memcached servers left exposed online. This week we have 105,000.

What are you doing people?!?!?!? You’re supposed to put them behind a firewall, not in front of it. ?? pic.twitter.com/YUGsFvER4n

— Catalin Cimpanu (@campuscodi) March 5, 2018

More Memcached flaw(s)

Memcached isn’t fixed yet. According to Corero, the vulnerability was more dangerous than expected as it could also allow the hacker to modify/steal information from the servers. However, Corero didn’t provide any detailed info on the flaw. They reached out to national security agencies so that they can prepare and send out the proper security alerts.

Check out if it’s possible to avoid DDoS.

The post How to Mitigate DDoS from Memcached Servers appeared first on Linux Windows and android Tutorials.